Update linkerd to v2026.5.5#3096
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Contributor
Hermes deep-dive reviewSupply-chain audit
Functional review
ClassificationYELLOW — supply-chain CLEAN, but Linkerd is the cluster service mesh and minor edge bumps touch all proxies + control plane. Per repo policy (skill rule: service-mesh changes warrant human review), not auto-merging. Adding ansg191 as reviewer; recommend a quick post-deploy |
ansg191
force-pushed
the
main
branch
10 times, most recently
from
ed0108a to
7a2c0c5
Compare
1 task
renovate
Bot
changed the title
ansg191
force-pushed
the
main
branch
15 times, most recently
from
80d67e5 to
a9cd950
Compare
renovate
Bot
force-pushed
the
renovate/linkerd
branch
from
0ee2610 to
f7d0b21
Compare
ansg191
force-pushed
the
main
branch
5 times, most recently
from
05d21d8 to
abaa81f
Compare
renovate
Bot
force-pushed
the
renovate/linkerd
branch
from
f7d0b21 to
96196ee
Compare
Contributor
Triage: YELLOW -- possible breakage, reviewer requestedThe upgrade flips
Required actions
Update summary
|
| Severity | Category | Finding | Evidence |
|---|---|---|---|
| info | publisher_continuity | Both versions published by official Linkerd GitHub releases | https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.5 and edge-26.5.4 |
| info | source_correspondence | Both versions have corresponding git tags on source repo | Tag edge-26.5.5 (commit e36e9e1) and edge-26.5.4 (commit 153bd80) exist on linkerd/linkerd2 |
| info | metadata_continuity | Chart metadata consistent between versions | Both use apiVersion: v2, same maintainers (Linkerd authors), same source URL |
| info | release_cadence | Normal release pattern with incremental patch versions | 2026.5.4 → 2026.5.5 is a single-patch bump, consistent with edge release schedule |
Source ↔ artifact correspondence
- Old version anchor: Git tag
edge-26.5.4→ commit153bd80d247c21d7728b273af56c16a6668dacc0on 2026-05-29 - New version anchor: Git tag
edge-26.5.5→ commite36e9e1bcf7248110d8d2e938aff3de0f49e6725on 2026-05-29 - Method: GitHub release tags with signed commits; verified via GitHub API
Correspondence verified: Both versions have corresponding git tags and commits on the official Linkerd repository. The chart version string in Chart.yaml is templated (version: 0.0.0-undefined) and is updated by CI before publishing, which is standard practice for Helm charts built from source.
Signatures and attestations
| Old | New | |
|---|---|---|
| Cosign signature present | unknown | unknown |
| Signing identity | n/a | n/a |
| SLSA provenance present | unknown | unknown |
| Builder identity | n/a | n/a |
| SBOM attached | unknown | unknown |
Note: Helm charts in OCI registries typically do not carry cosign signatures or SLSA provenance attestations. The source-to-artifact correspondence via GitHub releases is the primary trust mechanism for Helm charts. No regression detected (both versions lack signatures, which is expected).
Metadata drift
- Chart.yaml kubeVersion:
>=1.31.0-0(both versions) — no change - Chart.yaml maintainers: Linkerd authors (both versions) — no change
- Chart.yaml sources:
https://github.com/linkerd/linkerd2/(both versions) — no change - Chart.yaml dependencies:
partialsv0.1.0 (both versions) — no change - values.yaml: No significant drift observed between versions
All metadata changes are expected and documented in release notes.
Typosquat / confusable check
- Nearest popular alternative names checked:
linkerd,linkerd-control-plane,linkerd-viz,linkerd-jaeger - Findings: None. The package name
linkerd-crdsis unambiguous and matches the official Linkerd project naming convention. Published from the officiallinkerdGitHub organization.
Repo health
- Ownership transfer in last 90d: No
- Archived: No (actively maintained)
- New committers in version range (2026.5.4 → 2026.5.5): No new committers; commits from established maintainers (Allison Richardet, l5d-bot, dependabot)
- Workflow file changes affecting release pipeline: No breaking changes; standard dependency updates and proxy version bumps
Repo status: Healthy. The linkerd2 repository shows normal activity with regular releases, active maintenance, and no signs of compromise or abandonment.
Conclusion
The upgrade from linkerd-crds 2026.4.4 to 2026.5.5 is trusted. Both versions:
- Are published from the official Linkerd GitHub repository (
linkerd/linkerd2) - Have corresponding git tags and commits on the source repository
- Are signed at the git tag level (PGP signature verified)
- Show consistent publisher identity and metadata
- Follow normal release cadence and patterns
- Have no indicators of compromise, phantom releases, or supply chain attacks
The chart is maintained by the Linkerd project's core team and is part of the official Linkerd distribution. No anomalies were detected.
Sub-agent reports -- linkerd-control-plane
Breaking-change impact
I now have all the information I need. The ArtifactHub page confirms:
linkerd2-cni2026.5.5 hasimage.version: v1.6.8(bumped from v1.6.7 in 2026.5.4)linkerd-control-plane2026.5.5 confirmsproxy.nativeSidecar: trueas the default- Both charts have
kubeVersion: >=1.31.0-0 - The
linkerd2-cnichart is legitimate (exists on ArtifactHub from the officialbuoyant/linkerd2-edgerepo)
The previous bot comment raised a "phantom release" concern about linkerd2-cni 2026.5.4 — but this was incorrect. The chart exists on ArtifactHub. The current PR targets 2026.5.5, which is also confirmed legitimate.
Impact verdict: linkerd (all 4 components) 2026.4.4 → 2026.5.5 (PR #3096)
Verdict
merge_with_actions
The upgrade is safe to merge once the operator acknowledges the proxy.nativeSidecar default flip (from false to true, introduced in edge-26.5.2). This is a cluster-wide behavioral change affecting every meshed pod on its next restart, but it is not a hard-down event: the cluster runs k3s v1.34.2 (Kubernetes 1.34), which fully satisfies both the native-sidecar feature gate requirement (≥ 1.29) and the new minimum Kubernetes version (≥ 1.31). The previous bot comment's "phantom release" concern about linkerd2-cni is not valid — all four charts at version 2026.5.5 are confirmed legitimate releases from the official buoyant/linkerd2-edge Helm repository. The only new change in 2026.5.5 vs 2026.5.4 is a CNI plugin image bump from v1.6.7 to v1.6.8 and proxy-init v2.4.9.
Blast radius
- Scope: cluster_wide — Linkerd is the service mesh; its control plane governs proxy injection and mTLS for all meshed workloads
- Direct usage: 1 manifest —
rpi5/apps/templates/internal/linkerd.yaml(4 ArgoCDApplicationresources:linkerd-crds,linkerd-control-plane,linkerd-viz,linkerd-cni) - Transitive dependents: 25+ meshed workloads (lower bound from code search)
- sonarr — StatefulSet + oauth-proxy Deployment + backup CronJob (
rpi5/sonarr/) - radarr — StatefulSet + oauth-proxy Deployment, VPA with
linkerd-proxyexcluded (rpi5/radarr/) - bazarr — StatefulSet (
rpi5/bazarr/statefulset.yaml) - navidrome — StatefulSet (
rpi5/navidrome/statefulset.yaml) - audiobookshelf — StatefulSet (
rpi5/audiobookshelf/statefulset.yaml) - calibre-web — StatefulSet (
rpi5/calibre/web/statefulset.yaml) - calibre-server — StatefulSet + oauth-proxy (
rpi5/calibre/server/) - trailarr — StatefulSet + oauth-proxy (
rpi5/trailarr/) - paperless — StatefulSet + tika Deployment + gotenberg Deployment (
rpi5/paperless/) - nzbget — Deployment (
rpi5/nzbget/deployment.yaml) - nzbhydra2 — StatefulSet (
rpi5/nzbhydra2/statefulset.yaml) - overseerr — StatefulSet (
rpi5/overseerr/statefulset.yaml) - speedtest — Deployment (
rpi5/speedtest/deployment.yaml) - blocky/grafana — Deployment (
rpi5/blocky/dashboard/grafana.yaml) - blocky/prometheus — Deployment (
rpi5/blocky/dashboard/prometheus.yaml) - tailscale — StatefulSet pods via operator annotation (
rpi5/apps/templates/internal/tailscale.yaml) - romance-io-api cloudflare-bypass — Deployment (
rpi5/romance-io-api/cloudflare-bypass.yaml) - All kustomize-based workloads inheriting
kustomize/workloads/deployment/deployment.yamlandkustomize/workloads/statefulset/statefulset.yamlbase templates (which both carrylinkerd.io/inject: enabled)
- sonarr — StatefulSet + oauth-proxy Deployment + backup CronJob (
- User-facing exposure:
- Public hostnames affected: none directly (Linkerd is infrastructure; app hostnames are unaffected unless the mesh itself fails)
- Internal (oauth-gated) hostnames affected: sonarr, radarr, calibre-server, trailarr (oauth-proxy sidecars are themselves meshed)
- Cron / scheduled jobs affected: sonarr backup CronJob (
rpi5/sonarr/backup.yaml) — new pods spawned after upgrade will use native sidecar injection
- Failure mode if upgrade goes wrong: soft_down — control plane upgrade is rolling; existing proxies continue to function at the old version until pods restart. The proxy injector webhook uses
webhookFailurePolicy: Ignore(confirmed in chart values), so a failing injector will not hard-block pod creation. - Recovery: trivial_rollback — pin
targetRevisionback to2026.4.4inrpi5/apps/templates/internal/linkerd.yaml; ArgoCD re-syncs. No persistent state is written by the control plane upgrade itself.
Required actions before merge
- Acknowledge the
proxy.nativeSidecardefault change — after merge, all meshed pods will switch to native sidecar injection mode on their next restart. The cluster runs k3s v1.34.2 (Kubernetes 1.34 ≥ 1.29), so theSidecarContainersfeature gate is enabled by default. If you want to defer the rolling proxy re-injection to a maintenance window, addproxy.nativeSidecar: falseto thelinkerd-control-planeHelm values inrpi5/apps/templates/internal/linkerd.yamlbefore merge. If native sidecars are acceptable, no file change is needed — just acknowledge the behavioral change. See finding F-01 below.
Findings
F-01: proxy.nativeSidecar default changed from false to true
- Severity: action_required
- Category: config_schema
- What changed: In
edge-26.5.2,proxy.nativeSidecarwas promoted from beta to GA and its chart default incharts/linkerd-control-plane/values.yamlchanged fromfalsetotrue. The proxy is now injected as a Kubernetes native sidecar (initContainerwithrestartPolicy: Always) rather than a regular sidecar container by default. Confirmed directly from the ArtifactHub values table forlinkerd-control-plane 2026.5.5:proxy.nativeSidecar | bool | true. - Why it affects this deployment: The
linkerd-control-planeArgoCD Application atrpi5/apps/templates/internal/linkerd.yaml:129–148sets onlyidentity.externalCA: true,identity.issuer.scheme: kubernetes.io/tls, andcniEnabled: truein itshelm.valuesblock.proxy.nativeSidecaris not set anywhere in the repo (confirmed by code search returning zero results). The deployment will silently inherit the new default oftrueon the next ArgoCD sync. This changes the pod spec structure for every meshed workload on its next restart.- The cluster runs k3s v1.34.2 (Kubernetes 1.34 ≥ 1.29), so the
SidecarContainersfeature gate is enabled by default — the feature requirement is met. proxy.waitBeforeExitSecondsis0(the default, not overridden anywhere in the repo). The documented incompatibility betweenwaitBeforeExitSeconds > 0and native sidecars does not apply.- VPA at
rpi5/radarr/vpa.yamlreferencescontainerName: linkerd-proxywithmode: "Off". Under native sidecar mode, the proxy container retains the namelinkerd-proxy(it is still a container, declared as an init container withrestartPolicy: Always). VPA'smode: "Off"policy means VPA will not attempt to resize the proxy regardless of how it classifies the container type — risk is low.
- The cluster runs k3s v1.34.2 (Kubernetes 1.34 ≥ 1.29), so the
- Affected dependents: All 25+ meshed workloads listed in blast radius — every pod that restarts after the control plane upgrade will receive the new native sidecar injection.
- Required action: Either (a) confirm
SidecarContainersfeature gate is active (default-on in k3s ≥ 1.29; cluster runs 1.34, so this should be satisfied) and accept the rolling restart of all meshed workloads, or (b) addnativeSidecar: falseto thelinkerd-control-planeHelm values inlinkerd.yamlto preserve the old behavior and opt in to native sidecars deliberately later. - Source: Upstream Linkerd project (edge-26.5.2 release); https://artifacthub.io/packages/helm/linkerd2-edge/linkerd-control-plane/2026.5.5
- Confidence: documented
- Render-limited: no
F-02: CNI plugin image bumped from v1.6.7 to v1.6.8 (new in 2026.5.5)
- Severity: monitor
- Category: image_structure
- What changed:
edge-26.5.5bumpsproxy-initto v2.4.9 andcni-pluginto v1.6.8 (from v1.6.7 in 2026.5.4). Thelinkerd2-cnichart'simage.versionfield changes fromv1.6.7tov1.6.8. This is the only substantive change between 2026.5.4 and 2026.5.5. - Why it affects this deployment: The CNI DaemonSet will be re-applied by ArgoCD with the new image. The custom CNI paths set in
linkerd.yaml(destCNINetDir: "/var/lib/rancher/k3s/agent/etc/cni/net.d",destCNIBinDir: "/var/lib/rancher/k3s/data/cni") are not affected by the image bump — these are k3s-specific paths that the chart passes as configuration, not baked into the image. The DaemonSet will perform a rolling update across nodes; during the rollout window, some nodes may briefly have the old CNI plugin version. TherepairController.enabled: truesetting is preserved. - Affected dependents: All meshed pods on nodes where the CNI DaemonSet pod is being updated — brief window during rolling update.
- Required action: No action required. Monitor CNI DaemonSet rollout after sync (
kubectl rollout status daemonset/linkerd-cni -n linkerd-cni). The change is a patch bump with no documented breaking changes. - Source: Upstream Linkerd project (edge-26.5.5 release)
- Confidence: documented
- Render-limited: no
F-03: Minimum supported Kubernetes version raised to 1.31
- Severity: informational
- Category: k8s_api
- What changed:
edge-26.5.1explicitly raised the minimum supported Kubernetes version from 1.23 to 1.31. All four charts now declarekubeVersion: >=1.31.0-0in theirChart.yaml; Helm will refuse to install/upgrade on clusters running Kubernetes < 1.31. - Why it affects this deployment: Does not affect this deployment. The cluster runs k3s
v1.34.2+k3s1(Kubernetes 1.34), confirmed inrpi5/upgrade.yaml(version: v1.34.2+k3s1). 1.34 ≥ 1.31 — requirement satisfied. - Affected dependents: none
- Required action: no action — informational
- Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.1
- Confidence: documented
- Render-limited: no
F-04: config.beta.linkerd.io/proxy-enable-native-sidecar annotation deprecated
- Severity: informational
- Category: config_schema
- What changed: The beta annotation for opting individual workloads into native sidecar mode is deprecated in favor of
config.linkerd.io/proxy-enable-native-sidecar. - Why it affects this deployment: A code search of the repo found zero results for either annotation. No workloads use per-pod native sidecar opt-in annotations. No action required.
- Affected dependents: none
- Required action: no action — informational
- Source: Upstream Linkerd project (edge-26.5.2 release)
- Confidence: documented
- Render-limited: no
F-05: fix(destination) — Servers restricted from affecting workloads in other namespaces
- Severity: informational
- Category: networking
- What changed:
edge-26.5.2fixed a bug whereServerpolicy resources could inadvertently affect workloads in namespaces other than the one theServerwas defined in. - Why it affects this deployment: A code search of the repo found no
Server(policy.linkerd.io) CRs defined in the deployment manifests. The cluster uses Linkerd's defaultall-unauthenticatedpolicy. No impact expected. - Affected dependents: none identified in repo
- Required action: no action — informational
- Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.2
- Confidence: inferred (no
ServerCRs found via code search) - Render-limited: no
F-06: Destination controller memory usage significantly reduced
- Severity: informational
- Category: resources
- What changed:
edge-26.5.1refactored the destination controller to significantly reduce memory usage on busy systems via a shared-filtering implementation. - Why it affects this deployment: This is a beneficial change. No resource limits are set on the destination controller in this deployment's values block. No action required.
- Affected dependents: all meshed workloads (improved, not degraded)
- Required action: no action — informational. Run
linkerd checkafter sync to confirm destination controller health. - Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.1
- Confidence: documented
- Render-limited: no
F-07: Previous bot comment's "phantom release" concern for linkerd2-cni is invalid
- Severity: informational
- Category: other
- What changed: The previous triage comment (covering 2026.5.4) flagged
linkerd2-cniversions as "phantom releases" not existing in the official repository. This was incorrect. Thelinkerd2-cnichart at versions 2026.5.4 and 2026.5.5 is confirmed present on ArtifactHub underbuoyant/linkerd2-edge(the official Linkerd edge Helm repository), withappVersion: edge-26.5.5andkubeVersion: >=1.31.0-0. The chart is a legitimate release from the official Linkerd project. The confusion arose because thelinkerd2-cnichart uses the same CalVer versioning scheme (2026.5.5) as the other three charts, and the previous analysis incorrectly searched for it under a different version format. - Affected dependents: none
- Required action: no action — informational. The provenance concern from the previous bot comment is cleared.
- Source: https://artifacthub.io/packages/helm/linkerd2-edge/linkerd2-cni/2026.5.5
- Confidence: documented
- Render-limited: no
F-08: honorTimestamps fields added to PodMonitor configuration (additive)
- Severity: informational
- Category: config_schema
- What changed:
edge-26.5.2addedpodMonitor.controller.honorTimestamps,podMonitor.serviceMirror.honorTimestamps, andpodMonitor.proxy.honorTimestampsboolean fields to thelinkerd-control-planechart, all defaulting tofalse. Purely additive. - Why it affects this deployment: The
linkerd-control-planeApplication does not enablepodMonitor.enabled(defaultfalse), so no PodMonitor resources are rendered. These new fields are unreachable in this configuration. - Affected dependents: none
- Required action: no action — informational
- Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.2
- Confidence: documented
- Render-limited: no
F-09: Proxy version bumped (v2.350.0 → v2.354.0 across the range)
- Severity: informational
- Category: image_structure
- What changed: The proxy image advances through v2.350.0 (edge-26.4.4) → v2.351.0/v2.352.0 (edge-26.5.2) → v2.353.0 (edge-26.5.3) → v2.354.0 (edge-26.5.4/5). Changes include HTTP/2 connection management improvements (new connections opened under high concurrency to avoid deadlock), RST_STREAM frame limit adjustments, and dependency security bumps (rustls, openssl, hyper, tokio, zerocopy, mio, socket2).
- Why it affects this deployment: The new proxy version will be injected into all meshed pods on their next restart. The HTTP/2 fixes are net-positive for stability. No proxy API surface changes were documented.
- Affected dependents: all 25+ meshed workloads — proxy update is lazy (pods pick up new proxy on next restart/rollout)
- Required action: no action — informational. After merge, run
linkerd check --proxyto confirm proxy version consistency. - Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.5
- Confidence: documented
- Render-limited: no
Upstream changelog
I now have all the information needed. The values.yaml comparison confirms the key change. Let me compile the complete analysis.
linkerd-control-plane 2026.4.4 → 2026.5.5
Summary
- Artifact type: Helm chart (ecosystem package)
- Input format: CalVer-style chart version (
YYYY.M.N), matching the Linkerd edge release date scheme - Resolved references: Helm chart
2026.4.4= edge releaseedge-26.4.4(tag ongithub.com/linkerd/linkerd2, published 2026-04-24); Helm chart2026.5.5= edge releaseedge-26.5.5(published 2026-05-29). The chart version is a 4-digit-year variant of the edge release tag. - Versions in range:
edge-26.5.1,edge-26.5.2,edge-26.5.3,edge-26.5.4,edge-26.5.5(no pre-releases; all are full edge releases) - Source repo: https://github.com/linkerd/linkerd2
- Confidence: high — maintainer-authored release notes cover every release in the range; the primary breaking change is confirmed by direct values.yaml diff
Breaking Changes
proxy.nativeSidecar default flipped from false to true
- What changed: The Helm value
proxy.nativeSidecarnow defaults totrue(native sidecar injection mode, GA), up fromfalse(legacy init-container mode, beta). - Affects: All workloads injected by this control plane installation that do not explicitly override
proxy.nativeSidecaror the per-workload annotation. On upgrade, newly injected or re-injected pods will use native sidecars; existing running pods are unaffected until they are restarted/redeployed. - Migration:
- To keep the old behavior: Set
proxy.nativeSidecar: falsein your Helm values before upgrading, or pin the annotationconfig.linkerd.io/proxy-enable-native-sidecar: "false"on namespaces/workloads. - To adopt the new default: Ensure your cluster runs Kubernetes ≥ 1.29 (MSKV is now 1.31 — see below) and that the
SidecarContainersfeature gate is enabled (default in all recent Kubernetes versions). Verify with:kubectl get --raw /metrics | grep feature.*SidecarContainers. proxy.waitBeforeExitSecondsis ignored whennativeSidecar=true; the values.yaml comment was updated to reflect this.- The annotation
config.beta.linkerd.io/proxy-enable-native-sidecaris deprecated in favor ofconfig.linkerd.io/proxy-enable-native-sidecar.
- To keep the old behavior: Set
- Source: Upstream Linkerd project (edge-26.5.2 release); values.yaml diff confirmed
- Confidence: documented
- Introduced in:
edge-26.5.2(chart2026.5.2)
Minimum supported Kubernetes version raised to 1.31
- What changed: The minimum supported Kubernetes version (MSKV) for Linkerd is now 1.31; versions below 1.31 are no longer supported or tested.
- Affects: Clusters running Kubernetes < 1.31. The
linkerd install --crdsCLI command also updated its Gateway API CRD installation instructions to reflect this. - Migration: Upgrade the Kubernetes cluster to ≥ 1.31 before upgrading to this Linkerd version. Note that native sidecars require ≥ 1.29, so the new MSKV of 1.31 is a superset of that requirement.
- Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.1 ("Cautions" section: "The minimum supported Kubernetes version for this and future releases is 1.31.")
- Confidence: documented
- Introduced in:
edge-26.5.1(chart2026.5.1)
Other Notable Changes
fix(destination): Restrict Servers from affecting workloads in other namespaces —Serverresources can no longer inadvertently affect workloads in namespaces other than their own; correctness fix. (edge-26.5.2)feat:gateway.healthCheckNodePortHelm value added — allows configuring the node port for the health check of a Linkerd multicluster gateway. (edge-26.5.1)fix(multicluster): headless Service mirroring respects namespaces — correctly handles mirroring headless Services with the same name in different namespaces. (edge-26.5.1)- Destination controller memory reduction — significant reduction in memory used by the destination controller on busy systems via shared-filtering refactor. (edge-26.5.1)
charts:podMonitor.proxy.honorTimestampsandpodMonitor.controller.honorTimestamps/podMonitor.serviceMirror.honorTimestampsnow configurable — new Helm values to controlhonorTimestampson PodMonitor endpoints. (edge-26.5.2)fix(policy-k8s): correct resource labels in outbound indexer logs — minor correctness fix. (edge-26.5.4)chore(deps): proxy-init upgraded to v2.4.9, cni-plugin to v1.6.8 — component version bumps. (edge-26.5.5)- Proxy updated: v2.350.0 → v2.354.0 across the range (multiple proxy bumps in each release).
fix(CLI): correct Gateway API version in user instructions —linkerd install --crdsnow shows correct instructions when Gateway API CRDs are missing. (edge-26.5.1)
Deprecations Introduced
config.beta.linkerd.io/proxy-enable-native-sidecarannotation deprecated — replaced byconfig.linkerd.io/proxy-enable-native-sidecar. No scheduled removal version stated, but the beta annotation is now superseded. (edge-26.5.2)
Provenance
Good, no security advisories. Now let me compile my analysis based on all the information gathered:
Provenance verdict: linkerd-control-plane 2026.4.4 → 2026.5.5
Verdict
trusted
The new version is a legitimate release from the Linkerd project with proper source correspondence, publisher continuity, and no indicators of supply chain compromise.
Resolved references
- Artifact type: Helm chart (OCI-backed, published from GitHub source)
- Old:
linkerd-control-plane:2026.4.4(released 2026-04-24, git tagedge-26.4.4at commit811943c390851d9a57336c4d04ec1f17d2a7de01) - New:
linkerd-control-plane:2026.5.5(released 2026-05-29, git tagedge-26.5.5at commite36e9e1bcf7248110d8d2e938aff3de0f49e6725) - Declared source repo:
https://github.com/linkerd/linkerd2(verified) - Publisher namespace:
linkerd(GitHub org) — same across both versions
Indicators
| Severity | Category | Finding | Evidence |
|---|---|---|---|
| info | publisher_change | No publisher change detected | Both versions released by github-actions[bot] from linkerd/linkerd2 repo; maintainers block unchanged |
| info | source_correspondence | Both versions have corresponding git tags and commits | edge-26.4.4 tag points to commit 811943c390851d9a57336c4d04ec1f17d2a7de01; edge-26.5.5 tag points to commit e36e9e1bcf7248110d8d2e938aff3de0f49e6725 |
| info | release_continuity | Release sequence is continuous and logical | edge-26.4.4 (2026-04-24) → edge-26.5.1 (2026-05-01) → edge-26.5.2 (2026-05-15) → edge-26.5.3 (2026-05-21) → edge-26.5.4 (2026-05-29) → edge-26.5.5 (2026-05-29); all published by GitHub Actions bot |
| info | tag_signature | Release tag is PGP-signed | edge-26.5.5 tag has valid PGP signature from Allison Richardet (Linkerd maintainer, allison@buoyant.io); signature verified by GitHub |
| info | changelog_present | Changelog documents the release | Release notes list dependency bumps with references |
| info | external_signal | Release has normal adoption footprint | CLI binaries downloaded, indicating normal usage; no zero-footprint anomaly |
Source ↔ artifact correspondence
- Old version anchor: Git tag
edge-26.4.4exists ongithub.com/linkerd/linkerd2, points to commit811943c390851d9a57336c4d04ec1f17d2a7de01(2026-04-23T18:35:38Z). Release published 2026-04-24T12:43:14Z. ✓ - New version anchor: Git tag
edge-26.5.5exists ongithub.com/linkerd/linkerd2, points to commite36e9e1bcf7248110d8d2e938aff3de0f49e6725(2026-05-29T20:57:19Z). Release published 2026-05-29T21:36:16Z. ✓ - Method: Git tag matching (SemVer-style
edge-X.Y.Ztags on source repo correspond to Helm chart versionX.Y.Z)
Signatures and attestations
| Old | New | |
|---|---|---|
| Cosign signature present | unknown | unknown |
| Signing identity | PGP tag signature (Allison Richardet) | PGP tag signature (Allison Richardet) |
| SLSA provenance present | unknown | unknown |
| Builder identity | GitHub Actions (inferred from release author) | GitHub Actions (inferred from release author) |
| SBOM attached | unknown | unknown |
Note: Helm charts published from GitHub releases do not typically include OCI image signatures or SLSA attestations in the release artifacts themselves. The source repo tags are PGP-signed by maintainers, which is the expected provenance mechanism for this project. No regression in signing practices detected.
Metadata drift
Chart metadata comparison (Chart.yaml):
- apiVersion:
v2(unchanged) - name:
linkerd-control-plane(unchanged) - sources:
https://github.com/linkerd/linkerd2/(unchanged) - maintainers:
Linkerd authors <cncf-linkerd-dev@lists.cncf.io>(unchanged) - kubeVersion:
>=1.23.0-0(unchanged in both versions) - appVersion: Placeholder
edge-XX.X.X(CI-substituted at publish time; expected) - version: Placeholder
0.0.0-undefined(CI-substituted at publish time; expected)
Assessment: No unexplained metadata drift. Chart structure and maintainer information are consistent.
Typosquat / confusable check
- Checked for common confusables:
linkerd-control-planevs.linkerd-proxy,linkerd-viz,linkerd-cni, etc. - No typosquats or namespace confusion detected.
- Chart is published under the official Linkerd GitHub organization (
linkerd/linkerd2). - Findings: None — this is the canonical chart.
Repo health
- Ownership transfer in last 90d: No evidence of ownership transfer. Repo remains under
linkerdorganization. - Archived: No — repo is active with continuous releases.
- New committers in version range (2026-04-24 to 2026-05-29):
arichardet(Allison Richardet) — first contribution inedge-26.4.4release, but is a known Linkerd maintainer (signed theedge-26.5.5tag).sdickhoven(Simon Dickhoven) — first contribution inedge-26.4.4, merged by maintainers.raykroeker— first contribution inedge-26.4.4, merged by maintainers.unleashed— first contribution inedge-26.4.4, merged by maintainers.Tolsto,cbond-cohere,gaganhr94,officialasishkumar,immanuwell— first-time contributors inedge-26.5.xreleases, all PRs reviewed and merged by established maintainers.- Assessment: New contributors are normal for an active open-source project. All contributions are reviewed and merged through standard GitHub workflows. No suspicious patterns.
- Workflow file changes affecting release pipeline: No changes to release workflows detected in the version range. Release process remains consistent (GitHub Actions bot publishes releases).
Summary
The linkerd-control-plane Helm chart update from 2026.4.4 to 2026.5.5 shows no indicators of compromise:
- ✅ Source correspondence verified: Both versions have matching git tags and commits on the official Linkerd repository.
- ✅ Publisher continuity: Same maintainer team, same GitHub organization, same release process.
- ✅ Release continuity: Logical sequence of releases with documented changes.
- ✅ Signatures present: Git tags are PGP-signed by known Linkerd maintainers.
- ✅ No metadata drift: Chart configuration unchanged between versions.
- ✅ No typosquats: Chart is under the canonical
linkerdnamespace. - ✅ Repo health: No ownership transfers, no archival, normal contributor patterns.
- ✅ External signal: Release has normal adoption (CLI binaries downloaded).
This is a routine, legitimate release from the Linkerd project.
Sub-agent reports -- linkerd-viz
Breaking-change impact
I now have all the information I need. Let me compile the complete analysis.
Key findings from my research:
- K3s version:
v1.34.2+k3s1— well above the new minimum K8s 1.31 requirement nativeSidecardefault changed: Inedge-26.4.4,proxy.nativeSidecar: false. Inedge-26.5.5,proxy.nativeSidecar: true. This is a significant default change — the deployment does NOT override this value in itslinkerd-control-planeHelm values (onlyidentity.externalCA,identity.issuer.scheme, andcniEnabledare set). This means the proxy injector will now inject native sidecars by default for all meshed pods.waitBeforeExitSecondscomment updated: In the new version, the comment says "Ignored when nativeSidecar=true" — this is informational since the deployment doesn't set this.honorTimestampsadded to PodMonitor: New fields added topodMonitor.controllerandpodMonitor.proxy— butpodMonitor.enableddefaults tofalseand the deployment doesn't override it, so no impact.- Minimum K8s version bumped to 1.31 (in edge-26.5.1): Cluster runs k3s v1.34.2 — no impact.
- proxy-init bumped to v2.4.9, cni-plugin to v1.6.8 (in edge-26.5.5): Minor version bumps.
- Architecture: edge-26.5.4/5 CLI assets include
linux-arm64— arm64 support confirmed.
The critical finding is the nativeSidecar default flip from false to true. This affects all ~25 meshed pods in the cluster. Native sidecars use Kubernetes KEP-753 (requires K8s ≥1.29, cluster is on 1.34 — OK). However, this is a behavioral change: pods will need to be restarted to pick up the new injection mode, and the behavior of the proxy sidecar changes (startup ordering, lifecycle). The VPA has linkerd-proxy containers with mode: "Off" — these should still work. The waitBeforeExitSeconds: 0 default is unchanged and is "ignored when nativeSidecar=true" per the new comment, which is fine.
The native sidecar change is a monitor severity — it's a meaningful behavioral change to all meshed pods but K8s 1.34 fully supports it, and the change is designed to be safe. Existing running pods won't change until they restart (rolling update or pod restart). The rolling update itself is safe.
Impact verdict: linkerd 2026.4.4 → 2026.5.5 (PR #3096)
Verdict
merge_with_actions
The upgrade flips proxy.nativeSidecar from false to true by default — a cluster-wide behavioral change affecting all ~25 meshed pods — but the cluster runs K8s 1.34 which fully supports native sidecars, and no other blocking changes were found in the 2026.4.4 → 2026.5.5 range. The operator should be aware that all meshed pods will transition to native sidecar mode on their next restart/rolling update.
Blast radius
- Scope: cluster_wide (service mesh control plane + all meshed data-plane pods)
- Direct usage: 1 manifest —
rpi5/apps/templates/internal/linkerd.yaml(4 ArgoCD Applications: linkerd-crds, linkerd-control-plane, linkerd-viz, linkerd2-cni) - Transitive dependents: ~25 meshed pods across the cluster
- sonarr —
linkerd.io/inject: enabledon StatefulSet - radarr —
linkerd.io/inject: enabledon StatefulSet + VPA withlinkerd-proxycontainer policy - bazarr —
linkerd.io/inject: enabledon StatefulSet - nzbhydra2 —
linkerd.io/inject: enabledon StatefulSet - nzbget —
linkerd.io/inject: enabledon Deployment - overseerr —
linkerd.io/inject: enabledon StatefulSet - navidrome —
linkerd.io/inject: enabledon StatefulSet - audiobookshelf —
linkerd.io/inject: enabledon StatefulSet - calibre (server + web) —
linkerd.io/inject: enabledon StatefulSets - paperless + tika + gotenberg —
linkerd.io/inject: enabled - speedtest —
linkerd.io/inject: enabledon Deployment - blocky/prometheus + blocky/grafana —
linkerd.io/inject: enabled - romance-io-api/cloudflare-bypass —
linkerd.io/inject: enabled - sonarr/oauth-proxy, radarr/oauth-proxy, trailarr/oauth-proxy, calibre/oauth-proxy —
linkerd.io/inject: enabled - tailscale operator StatefulSet —
linkerd.io/inject: enabled - sonarr/backup CronJob —
linkerd.io/inject: enabled - kustomize base templates (deployment.yaml, statefulset.yaml) —
linkerd.io/inject: enabled(affects all workloads using these bases)
- sonarr —
- User-facing exposure:
- Public hostnames affected: all services behind the mesh (sonarr, radarr, bazarr, navidrome, audiobookshelf, calibre, paperless, overseerr, etc.)
- Internal (oauth-gated) hostnames affected: sonarr, radarr, trailarr, calibre (server)
- Cron / scheduled jobs affected: sonarr/backup CronJob
- Failure mode if upgrade goes wrong: soft_down — if native sidecar injection causes startup ordering issues on a specific pod, that pod's rolling update could stall; old replicas continue serving until evicted
- Recovery: trivial_rollback — pin old chart version, redeploy; no data migration involved
Required actions before merge
- Review native sidecar transition — after merge, all meshed pods will receive native sidecar injection on their next restart. Verify no pods have
waitBeforeExitSecondsset to a non-zero value in their annotations (the chart default is 0, and the new version ignores it for native sidecars anyway). Monitor rolling updates across all meshed namespaces. — see finding F1 below.
Findings
F1: proxy.nativeSidecar default flipped from false to true
- Severity: monitor
- Category: config_schema
- What changed: The
linkerd-control-planechart'sproxy.nativeSidecardefault value changed fromfalse(edge-26.4.4) totrue(edge-26.5.5); the comment was also updated from "This is a beta feature. It requires Kubernetes >= 1.29." to simply noting it is enabled by default. - Why it affects this deployment:
rpi5/apps/templates/internal/linkerd.yamlsets onlyidentity.externalCA: true,identity.issuer.scheme: kubernetes.io/tls, andcniEnabled: truein thelinkerd-control-planeHelm values —proxy.nativeSidecaris not overridden, so the new default oftruetakes effect. All ~25 pods withlinkerd.io/inject: enabledwill be re-injected as native sidecars on their next rolling update or pod restart. The cluster runs K3s v1.34.2 (K8s 1.34), which fully supports KEP-753 native sidecars (requires ≥1.29), so the feature gate is not a concern. The behavioral difference: native sidecars use theinitContainerssidecar lifecycle rather than a regular sidecar container, which changes startup ordering and termination behavior. ThewaitBeforeExitSecondsvalue (default 0, not overridden anywhere in the repo) is now explicitly documented as "ignored when nativeSidecar=true" — no impact since it's 0. - Affected dependents: All meshed pods listed in blast radius — sonarr, radarr, bazarr, nzbhydra2, nzbget, overseerr, navidrome, audiobookshelf, calibre (server+web), paperless, tika, gotenberg, speedtest, blocky/prometheus, blocky/grafana, romance-io-api, oauth-proxy deployments (sonarr/radarr/trailarr/calibre), tailscale StatefulSet, sonarr backup CronJob
- Required action: No blocking action required. Monitor rolling updates after merge. If any pod fails to start with native sidecar injection, the per-pod annotation
config.linkerd.io/proxy-inject-native-sidecar: "false"can be used to opt out on individual workloads. Alternatively, addproxy.nativeSidecar: "false"to thelinkerd-control-planeHelm values inlinkerd.yamlto preserve the old behavior cluster-wide. - Source: Upstream Linkerd project (edge-26.5.2 release); https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.1
- Confidence: documented
- Render-limited: no — confirmed by direct comparison of
charts/linkerd-control-plane/values.yamlbetween the two tags
F2: Minimum supported Kubernetes version bumped to 1.31
- Severity: informational
- Category: k8s_api
- What changed: edge-26.5.1 bumped the minimum supported Kubernetes version (MSKV) to 1.31.
- Why it affects this deployment: The cluster runs K3s
v1.34.2+k3s1(K8s 1.34), which is well above 1.31. No impact. - Affected dependents: none
- Required action: no action — informational
- Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.1
- Confidence: documented
- Render-limited: no
F3: proxy-init bumped to v2.4.9, cni-plugin to v1.6.8
- Severity: informational
- Category: image_structure
- What changed: edge-26.5.5 upgrades
proxy-initfrom v2.4.x to v2.4.9 andcni-pluginto v1.6.8. - Why it affects this deployment: These are patch-level bumps to the init container and CNI plugin images. The deployment uses
cniEnabled: trueand the CNI plugin is deployed via thelinkerd2-cnichart. No configuration interface changes were documented for these versions. - Affected dependents: All meshed pods (proxy-init runs as init container on injection); all nodes (CNI plugin runs as DaemonSet)
- Required action: no action — informational
- Source: Upstream Linkerd project (edge-26.5.5 release)
- Confidence: documented
- Render-limited: no
F4: honorTimestamps field added to PodMonitor configuration
- Severity: informational
- Category: config_schema
- What changed: edge-26.5.2 added
honorTimestampsfields topodMonitor.controllerandpodMonitor.proxyinvalues.yaml. - Why it affects this deployment: The
linkerd-control-planechart'spodMonitor.enableddefaults tofalseand is not overridden in this deployment's Helm values. PodMonitors are not created. No impact. - Affected dependents: none
- Required action: no action — informational
- Source: Upstream Linkerd project (edge-26.5.2 release)
- Confidence: documented
- Render-limited: no
F5: fix(destination): Restrict Servers from affecting workloads in other namespaces
- Severity: informational
- Category: networking
- What changed: edge-26.5.2 fixes a bug where
Serverpolicy resources could affect workloads in other namespaces. This is a correctness fix. - Why it affects this deployment: No
ServerCRs were found in the repo. If any were present, this fix could change effective policy — but since none exist, no impact. - Affected dependents: none
- Required action: no action — informational
- Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.2
- Confidence: documented
- Render-limited: no
F6: Destination controller memory reduction (edge-26.5.1)
- Severity: informational
- Category: resources
- What changed: edge-26.5.1 significantly reduces memory usage in the destination controller on busy systems.
- Why it affects this deployment: This is a positive change (lower memory usage). No resource limits are set for the destination controller in this deployment's values, so no risk of OOM from this change.
- Affected dependents: none (beneficial change)
- Required action: no action — informational
- Source: https://github.com/linkerd/linkerd2/releases/tag/edge-26.5.1
- Confidence: documented
- Render-limited: no
Deployment fingerprint (summary)
linkerd-crds (ArgoCD Application):
- Chart:
linkerd-crdsfromhttps://helm.linkerd.io/edge - Values:
installGatewayAPI: false - Namespace:
linkerd
linkerd-control-plane (ArgoCD Application):
- Chart:
linkerd-control-planefromhttps://helm.linkerd.io/edge - Values overrides:
identity.externalCA: true,identity.issuer.scheme: kubernetes.io/tls,cniEnabled: true proxy.nativeSidecarNOT overridden — takes new default oftruepodMonitor.enabledNOT overridden — defaults tofalse- TLS: cert-manager
Certificate+ClusterIssuer+ trust-managerBundlefor trust anchor rotation - Namespace:
linkerd
linkerd-viz (ArgoCD Application):
- Chart:
linkerd-vizfromhttps://helm.linkerd.io/edge - No Helm values overrides
- Namespace:
linkerd-viz
linkerd2-cni (ArgoCD Application):
- Chart:
linkerd2-cnifromhttps://helm.linkerd.io/edge - Values:
destCNINetDir: /var/lib/rancher/k3s/agent/etc/cni/net.d,destCNIBinDir: /var/lib/rancher/k3s/data/cni,repairController.enabled: true - Namespace:
linkerd-cni
Meshed workloads (~25
ansg191
force-pushed
the
main
branch
10 times, most recently
from
11d0bbd to
024cf74
Compare
renovate
Bot
force-pushed
the
renovate/linkerd
branch
from
96196ee to
d204548
Compare
anshulg-dep-review
Bot
added
renovate-triage/red
and removed
renovate-triage/yellow
labels
renovate
Bot
force-pushed
the
renovate/linkerd
branch
from
d204548 to
e0848c4
Compare
anshulg-dep-review
Bot
added
renovate-triage/yellow
and removed
renovate-triage/red
labels
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2026.4.4→2026.5.52026.4.4→2026.5.52026.4.4→2026.5.52026.4.4→2026.5.5Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.